Asset Management is the Key to Surviving the Internet Resolve to Get a Handle on Your Assets in 2022 By: Joe Pierini Asset management is hard … for everyone. What do Nasa, Estee Lauder, EquiFax, and Ancestry.com have in common? Between them, they can trace breaches exposing nearly a million customer records to poor asset management. Whether it was unmanaged devices, exposed databases, or sloppy third-parties, these mistakes exposed their systems for compromise and their customers to identity theft and abuse. However, they’re not alone. Learn more about PlexTrac’s asset management module. The History of Asset Management-related Breaches Historically, the reason many organizations get breached is due to bad asset management. If you don’t know that you own an asset and leave it unmanaged and unpatched on the internet, it’s going to be hacked. Take, for example, the compromised AWS S3 Bucket trend of 2017-2019. For a while there it was like shooting fish in a barrel, with reports of newly discovered S3 buckets containing all sorts of juicy information coming every week. In 2020, Intruder.io reported that MongoDB instances were getting popped within 24 hours of being stood up, and in one deployment, the instance was compromised in just nine minutes. But this is simply a case of history repeating itself. In 2004, in an eye-opening report, the Internet Storm Center (ISC) stated that the average survival time for a Windows system was under 20 minutes, less time than it took to download the requisite patches! To compound the risk, applications and operating systems have become easier to set up and deploy, even with limited technical expertise. This means that it isn’t strictly necessary to engage IT to stand them up, creating a Shadow IT. Shadow IT is the deployment of hardware or software by a department or individual without the knowledge of the IT group within the organization. Examples of Shadow IT assets management can also include situations like the following: The visitor registration kiosk in the reception area installed by Security. Network enabled, infrared, non-contact thermometers for covid mitigation deployed by HR. The smart TV, refrigerator, and coffee maker in the break room with outdated and vulnerable versions of Android set up by Facilities. The proof-of-concept application set up in the Cloud by Finance to test a new payroll system. Governance, Risk, and Compliance (GRC) and Asset Management In some cases IT may turn a blind eye to some of these activities — possibly being politically expedient or just too overworked to put up a fight. However, just because IT is no longer responsible for the physical infrastructure or even managing the application, it’s still responsible for ensuring security and compliance for applications and devices that if compromised could pose a threat to the organization. For that reason, even if you fly below the radar from the bad guys, you can still get popped by your auditor. Asset management is required for a variety of regulatory regimes, including CIS Critcal Controls, NIST, PCI, FedRAMP, CMMC, just to name a few. They’re going to want an up to date inventory with data owners, risk levels, and patch schedules. Fail to provide them with what they ask for, and they can hold your compliance status for ransom — affecting your ability to sell in the marketplace — or even require you to pay fines. Because of all of these requirements asset management can’t be a “one and done” exercise. It must be a continuous process, a process that integrates all of the tools you have in hand. Consider leveraging your offensive security test results from vulnerability scans and penetration tests to identify new or previously unidentified assets. Continuous Penetration Testing and Asset Management A penetration test or red team exercise always starts with a discovery phase, and most testers and advanced operators pride themselves on their OSINT skills. OSINT, or Open Source Intelligence Gathering, is defined by the Office of the Director of National Intelligence as “publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the Internet, commercial databases, and videos, graphics, and drawings.” An OSINT search for the purposes of identifying unknown assets can yield a wealth of information and is well worth the extra time invested. As we mentioned previously, this isn’t a one-time exercise and you should take the time to evaluate your assets in between pen tests. You can DIY your OSINT for a continuous understanding using freely available tools and websites such as the following: Bloodhound — Bloodhound is an internal tool to identify devices, accounts, privileges, and the interrelationships between all of them. Maltego — Maltego is a graphical link analysis tool purpose-built to help users to gather and collect OSINT. Shodan.io — Shodan is a website that scans the internet constantly and provides a powerful search engine allowing customized queries. Censys.io — Censys is a website that continually scans the public IPv4 address space on 3,552+ ports, helping you parse TLS certificates and track domains. Recon-ng — Recon-ng is a reconnaissance framework that can perform open-source, web-based information gathering for a single target or range of IPs. Google Dorks — Google Dorks are Google’s search operators, combined with targeted parameters to find specific information. Some of these tools can seem a little overwhelming at first; however, there are plenty of resources on the web that can provide step-by-step instructions on their use, even if you’re not very cybersecurity savvy. If you can spare the time and money, contract with your pen tester to provide a day of training as part of their engagement. Just don’t ask to watch them perform the pen test. It’s a distraction and having to stop and answer questions while in the middle of testing will really impact the quality of their work. It’s Time to Prioritize Asset Management! Finally, have a single source of truth. No spread out Google docs, half completed Confluence pages, or out-of-date spreadsheets. Hackers love those. They will plunder your network drives for information, and these half-hearted asset tracking mechanisms are exceptionally useful for advancing their initiatives. On top of that, asset management lists aren’t going to protect you from the bad guys, the auditors, or the hackers-for-hire if they’re not all in one place and up to date. Customers of PlexTrac can use our client asset dashboard to identify and store everything in one place. In summary, asset management is hard, but it doesn’t have to be. You probably have the tools and resources already in place to continuously investigate and update your asset management inventory. The bad guys only need to find one unpatched device, an overly permissioned user, or a mismanaged host to gain an initial foothold, and you’re in the news. Use everything at your disposal, including your PlexTrac portal. If you would like to learn more about PlexTrac and see how it can help your organization make asset and vulnerability management easier, visit www.plextrac.com/demo.
How to Empower Adversary Emulation Leveraging threat intel, tools, and tactics for success READ ARTICLE
Embracing Continuous Threat Exposure Management (CTEM) Explore steps you can take to implement CTEM and enhance your security posture READ ARTICLE
The Good, the Bad, and the Ugly of Starting a Cybersecurity Business Security Startup Stories READ ARTICLE